US20060288416A1 - System and method for efficiently scanning a file for malware - Google Patents
System and method for efficiently scanning a file for malware Download PDFInfo
- Publication number
- US20060288416A1 US20060288416A1 US11/154,267 US15426705A US2006288416A1 US 20060288416 A1 US20060288416 A1 US 20060288416A1 US 15426705 A US15426705 A US 15426705A US 2006288416 A1 US2006288416 A1 US 2006288416A1
- Authority
- US
- United States
- Prior art keywords
- file
- data
- system memory
- computer
- malware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- the present invention relates to computers and, more particularly, to efficiently scanning a file stored on a computer for malware.
- antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
- an operating system installed on the computer loads file data from a computer-readable medium into system memory that is accessible to the Central Processing Unit (“CPU”).
- the CPU performs essential operations on behalf of the antivirus software in searching for malware.
- CPU Central Processing Unit
- Those skilled in the art and others will recognize that loading file data from a computer-readable medium into system memory is often a “bottleneck” in a computers performance. As a result, a CPU frequently remains idle, waiting to perform operations while data is being loaded into system memory.
- a primary reason why reading and/or writing data using a computer-readable medium is slow stems from the fact that this type of device employs a read/write head that typically uses electromechanical means to interact with a media where data is stored.
- a read/write head is only able to read data when media with which it interacts spins under the read/write head. The physical movement of media in passing underneath a read/write head is slow when compared to mechanisms used to read/write data from more expensive system memory.
- modem computer systems typically implement optimizations designed to minimize the time required to read and/or write data from a computer-readable medium.
- data in a file will typically be defragmented or arranged contiguously on a computer-readable medium to minimize the number of “seek” operations in which data from disparate locations on a computer-readable medium is required to pass under a read/write head.
- scanning a file for malware is a resource intensive task that limits the speed in which programs may be executed.
- One reason that scanning a file for malware is a resource intensive task results from the fact that antivirus software may not access data in a file contiguously. Instead, when scanning a file for malware, some antivirus software only scans data that is needed to determine whether the file is infected and may request data in the file without regard to where the data is located. Thus, antivirus software may initially request and obtain data that is located at the end of the file and then make subsequent requests for data that is located in other parts of the file. As a result, numerous “seek” operations are performed to determine whether a file is infected with malware.
- the foregoing problems with the state of the prior art are overcome by the principles of the present invention, which are directed toward a system, method, and a computer-readable medium for efficiently loading data from a file into system memory in order to scan the file for malware.
- the logic provided by the present invention reduces the resources required by antivirus software to scan a file for malware and thereby improves the experience of a user when operating a computer protected by the antivirus software.
- One aspect of the present invention is a method of efficiently loading data into system memory from a computer-readable medium for purposes of malware detection. More specifically, when antivirus software scans a file for malware, the method (1) identifies a pattern in which data in the file is loaded into system memory from a computer-readable medium; (2) identifies a pattern in which data in the file may be loaded into system memory that minimizes the time required to read data in the file; and (3) in a subsequent scan of the file for malware, causes data in the file to be loaded into system memory in accordance with the pattern that minimizes the time required to read data in the file.
- a software system for efficiently scanning a file for malware includes (1) a scan engine for identifying data that is characteristic of malware; (2) a persistent data store that tracks the segments of data that are loaded into system memory when a scan of the file for malware is performed; and (3) an efficient scan module operative to optimize the way in which data is loaded into system memory when a file will be scanned for malware by the scan engine.
- a computer-readable medium is provided with contents, i.e., a program that causes a computer to operate in accordance with the methods described herein.
- FIG. 1 is a block diagram of a computer with software components that are configured to efficiently load data into system memory in accordance with the present invention
- FIG. 2 is a pictorial depiction of an exemplary bit map cache that may be used in conjunction with the present invention to selectively scan a file for malware;
- FIG. 3 is a flow diagram illustrating one exemplary embodiment of a method that efficiently performs a scan for malware that is formed in accordance with the present invention
- FIG. 4 is a pictorial depiction of an exemplary persistent data store that tracks the segments of data in a file that are loaded into system memory when a file is scanned for malware in accordance with the present invention
- FIG. 5 is the pictorial depiction of a computer-readable medium and a method for accessing a file stored on the computer-readable medium that is formed in accordance with the prior art
- FIG. 6 is the pictorial depiction of a computer-readable medium and a method for accessing the computer-readable medium that is formed in accordance with the present invention.
- the present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data from a file into system memory in order to scan the data for malware.
- the logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software by efficiently scanning data on the computer for malware.
- One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into system memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into system memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.
- the present invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
- program modules include routines, programs, objects, components, data structures, and so forth that perform particular tasks or implement particular abstract data types.
- the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
- program modules may be located in local and/or remote computer storage media.
- the present invention will primarily be described in the context of efficiently scanning one or more files for malware, those skilled in the relevant art and others will recognize that the present invention is also applicable to other areas than those described.
- the present invention may be used to efficiently scan units of data other than a file for malware.
- the following description first provides an overview of a system in which the present invention may be implemented. Then a method that implements the present invention is described.
- the illustrative examples provided herein are not intended to be exhaustive or to limit the invention to the precise forms disclosed.
- any steps described herein may be interchangeable with other steps or combinations of steps in order to achieve the same result.
- FIG. 1 components of a computer 100 that are capable of implementing aspects of the present invention will be described.
- the computer 100 may be any one of a variety of devices including, but not limited to, personal computing devices, server-based computing devices, mini- and mainframe computers, or other electronic devices having some type of memory.
- FIG. 1 does not show the typical components of many computers, such as a CPU, keyboard, a mouse, a printer, or other I/O devices, a display, etc.
- FIG. 1 does not show the typical components of many computers, such as a CPU, keyboard, a mouse, a printer, or other I/O devices, a display, etc.
- FIG. 1 does not show the typical components of many computers, such as a CPU, keyboard, a mouse, a printer, or other I/O devices, a display, etc.
- the computer 100 does include a computer-readable medium 102 , system memory 104 , a memory manager 106 , and antivirus software 108 .
- the antivirus software 108 includes a scan engine 110 , a bit map cache 112 , an efficient scan module 114 , and a persistent data store 116 .
- the computer 100 and antivirus software 108 illustrated in FIG. 1 are highly simplified examples which only illustrate components that are necessary for an understanding of the present invention. In actual embodiments of the present invention, the computer 100 and the antivirus software 108 will have additional components that are not illustrated in FIG. 1 .
- the computer 100 is only one example of a computer capable of implementing aspects of the present invention and is not intended to suggest any limitation as to the scope of use or functionality of the invention.
- the present invention performs optimizations designed to improve the efficiency of antivirus software in scanning for malware.
- the optimizations performed include efficiently reading data from a computer-readable medium 102 into the system memory 104 , using heuristics to “pre-fetch” data into system memory 104 , and performing load balancing to efficiently allocate limited resources when scanning a plurality of files for malware.
- the computer 100 includes a computer-readable medium 102 that may be any available media that is accessible by the computer 100 and includes both volatile and nonvolatile media and removable and non-removable media.
- the computer-readable medium 102 may be volatile or nonvolatile, removable or nonremovable, implemented using any technology for storage of information such as, but not limited to a hard drive, CD-ROM, DVD, or other disk storage, magnetic cassettes, magnetic tape, magnetic disk storage, or any other media that can be used to store the desired information and may be accessed by the computer 100 even through a computer network. Combinations of any of the media described above should also be included within the scope of a computer-readable medium.
- the computer 100 also includes system memory 104 that may be volatile or nonvolatile memory, such as Read Only Memory (“ROM”), Random Access Memory (“RAM”), or other storage system that is readily accessible to a CPU on the computer.
- ROM Read Only Memory
- RAM Random Access Memory
- ROM and RAM typically contain data and/or program modules that are immediately accessible to and/or currently being operated on by the CPU.
- a component of an operating system installed on the computer 100 loads file data from a computer-readable medium 102 into system memory 104 that is accessible to a CPU (not illustrated).
- a CPU not illustrated
- loading file data from the computer-readable medium 102 into the system memory 104 is often a “bottleneck” in a computer's performance.
- a CPU frequently remains idle, waiting to perform operations on behalf of antivirus software while data is being loaded into the system memory 104 .
- a CPU serves as the computational center of the computer 100 by supporting the execution of program code including program code implemented by the present invention.
- Most malware carry out their malicious functionality when malware program code is loaded into system memory 104 and then “executed” by the CPU.
- the antivirus software 108 is configured to scan for malware “on access” when an application program is scheduled to be executed. For example, a computer user may issue a command to start execution of an application program by “double clicking” on an icon associated with the program or by selecting the program through other means.
- a request to perform input/output (“I/O”) with a hardware device, such as the computer-readable medium 102 is typically generated by an application program.
- the antivirus software 108 Prior to the request being satisfied, the antivirus software 108 is notified that the I/O request occurred.
- the antivirus software 108 will cause one or more files associated with the application program to be scanned “on access” when data that implements the program is loaded into system memory 104 but prior to the data being executed. Only when the antivirus software 108 does not identify malware in the data is the application program allowed to execute.
- the antivirus software 108 will typically be configured to scan all or any number of the files on the computer-readable medium 102 “on demand” in response to a command. In this instance, certain data from files that are scheduled to be scanned for malware are loaded into system memory 104 and scanned for malware by the antivirus software 108 . In accordance with one embodiment, when a plurality of files is scheduled to be scanned “on-demand,” the present invention causes data to be read into memory in a way that optimizes the resources of the computer.
- files that are of types that are known to the “CPU bound” are scheduled to be read into system memory and scanned with files that are a type that are known to be “I/O bound.”
- aspects of the present invention minimize the number of idle CPU cycles that occur when performing in “on-demand” scan for malware.
- the present invention may be implemented in conjunction with antivirus software that performs a scan for malware “on access” and/or “on demand” to improve the speed in which a scan is performed.
- aspects of the present invention may cause a scan for malware to be performed in other instances than those described above.
- aspects of the present invention may be used in conjunction with a memory manager 106 that uses heuristics to “pre-fetch” data into system memory 104 in anticipation that a user will cause a particular application program to be executed.
- the computer 100 includes a memory manager 106 that operates in conjunction with a computer operating system (not illustrated) to manage memory on behalf of the computer 100 .
- a computer operating system not illustrated
- currently existing memory managers typically provide a virtual memory address space so that the amount of storage space available to an application program is larger than the storage space provided by the system memory 104 .
- the virtual memory addresses used by the application program are converted into physical memory addresses by the memory manager 106 so that necessary data may be swapped into system memory 104 .
- the memory manager 106 works to provide performance improvements in memory management by loading and maintaining data in system memory 104 that is likely to be needed before the data is actually needed. Units of data typically known as pages are prioritized with a value/score that is computed using a variety of factors, including the frequency of use, time of last use, ease of data transfer and other context-based information. The memory manager 106 works to pre-fetch and/or maintain the more valuable pages of data in memory. If a program needs to be swapped out or overwritten, a page of data may be automatically brought back into system memory 104 , not because of actual demand, but rather because of expected demand.
- the memory manager 106 substantially reduces or eliminates transfer operations from the computer-readable medium 102 .
- a detailed explanation of a method and mechanisms that “pre-fetches” or loads and maintains pages of data in system memory based on the expected demands of the user may be found in commonly assigned, copending U.S. patent application Ser. No. 10/952,336, entitled “Methods and Mechanisms for Proactive Memory Management,” the content of which is expressly incorporated herein by reference.
- the antivirus software 108 in which aspects of the present invention may be implemented includes a scan engine 110 designed to detect data that is characteristic of malware.
- Many different software vendors include a scan engine or similar software module in antivirus software.
- One known technique employed by some existing scan engines that is used to identify data characteristic of malware includes obtaining a copy of the malware “in the wild.” Then the data that implements the malware is processed with a hash function that converts the data or a characteristic subset of the data into a signature that uniquely identifies the malware.
- the scan engine 110 illustrated in FIG. 1 may employ this known technique of scanning a file for a malware signature.
- heuristic techniques are employed when identifying data characteristic of malware that may be used by the scan engine 110 .
- the examples described herein should be construed as exemplary and not limiting, as the scan engine 110 may employ any one of a number of existing, or yet to be developed, malware detection techniques.
- the scan engine 110 may be optimized to scan a file by only searching data in a file that has the potential to expose a computer to the effects of malware.
- data is typically associated with a file that describes attributes of the file.
- a scan engine that searches for malware in a file without the context of data that is associated with a file is inefficient.
- the scan engine 110 may search the header of a file and determine that the file is incapable of exposing a computer to the effects of malware. In this instance, the scan engine 110 will not scan subsequent portions of the file because those subsequent portions are not capable of implementing the effects of malware.
- the scan engine 110 may search data contained in the header of a file and determine that segments of data in the file have the potential to expose a computer to the effects of malware.
- data associated with the document identifies locations within the document that contains “macros” or “embedded objects” with executable program code.
- the scan engine 110 searches the data in the file and identifies the locations within the document that have the potential to expose a computer to the effects of malware. Then, the scan engine 110 requests and scans data located in these areas of the document. While a scan engine that only scans data needed to determine whether a file contains malware is an optimization over the prior art, it may result in a significant number of time-consuming “seek” operations. As described in further detail below, one aspect of the present invention is directed to minimizing the number of “seek” operations performed when scanning a file for malware.
- the antivirus software 108 in which aspects of the present invention may be implemented also includes a bit map cache 112 .
- the present invention will typically be used in conjunction with a system that selectively scans one or more files on a computer for malware.
- the existing system associates a variable with a file when a scan of the file is performed. If the variable indicates that the file is malware, any attempt to access the file by the user fails. Conversely, if the variable indicates that the file is not malware and data in the file has not been modified, an attempt to execute the file will succeed without requiring an additional scan of the file to be performed.
- the information necessary to determine whether a scan of the file is necessary is maintained in the bit map cache 112 .
- bit map cache 112 For illustrative purposes and by way of example only, the contents of a sample bit map cache 112 are shown in FIG. 2 As illustrated, the bit map cache 112 consists of three columns, each of which contains multiple entries. The columns are identified as FILEINDX 200 , FIRST BIT 202 , and SECOND BIT 204 .
- the FILEINDX 200 field contains a value that is used to uniquely identify a file.
- a computer-readable medium such as a hard drive, is typically partitioned into logical units referred to as volumes. Each volume has a central location where information about files on the volume is stored, including a unique identifier that is used to access a file internally.
- the FIRST BIT 202 , and SECOND BIT 204 fields each store a value that collectively identifies the state of the file.
- both the FIRST BIT 202 and SECOND BIT 204 fields contain a value that is either a “0” or a “1.”
- the state of the file is “known malware.”
- the FIRST BIT 202 field contains a “0” and the SECOND BIT 204 field contains a “1,” then the state of the file is “known good.”
- the FIRST BIT 202 field contains a “0” and the SECOND BIT 204 field contains a “0,” then the state of the file is “unknown.”
- FIG. 2 illustrates a bit map cache 112 that has specific attributes, those skilled in the art will appreciate
- the antivirus software 108 is configured to perform a lookup in the bit map cache 112 when a scanning event is identified.
- the variables associated with a file in the bit map cache 112 dictates whether the file will be scanned for malware.
- the antivirus software 106 causes a scan to be performed and updates the bit map cache 106 to reflect the results of the scan. If the file was previously scanned and the contents of the file have not changed, the antivirus software 106 does not perform a scan, thereby minimizing the computational resources used by the antivirus software 106 .
- a detailed explanation of a system and method that tracks whether a file needs to be scanned for malware may be found in commonly assigned, copending U.S.
- aspects of the present invention may be used to populate the contents of the bit map cache 112 before an “on access” or “on demand” scan of a file occurs.
- the present invention is implemented in conjunction with a memory manager 106 that “pre-fetches” or loads data in system memory 104 based on the expected demands of a user.
- a scan for malware is performed when the memory manager 106 “pre-fetches” data into the system memory 104 .
- the memory manager 106 will typically load data from a plurality of files into system memory 104 in anticipation that a user will cause one or more application programs associated with the files to be executed.
- data loaded in system memory 104 may be scanned for malware “in the background” before an application program is executed.
- the contents of the bit map cache 112 are updated to reflect the results of the scan.
- the antivirus software 108 also includes an efficient scan module 114 that contains software routines and logic implemented by the present invention. Since functions and different embodiments of the efficient scan module 114 are described below with reference to FIG. 3 , a detailed description of the module 114 will not be provided here. However, generally described, the module 114 implements logic to reduce or eliminate the overhead involved in scanning a file for malware. For example, one aspect of the efficient scan module 114 efficiently reads data from a storage device (e.g., the computer-readable medium 102 ) into memory accessible to a CPU (e.g., the system memory 104 ).
- a storage device e.g., the computer-readable medium 102
- a CPU e.g., the system memory 104
- the efficient scan module 114 identifies an optimal pattern to load data in the file into system memory based on how the scan engine 110 accesses data in the file.
- Data that describes a pattern used to scan each file on a computer for malware is stored in a persistent data store 116 and updated each time a file is scanned.
- FIG. 1 is a simplified example of one computer 100 capable of performing the functions of the present invention. Actual embodiments of the computer 100 will have additional components not illustrated in FIG. 1 or described in the accompanying text. Also, FIG. 1 shows one component architecture for minimizing the overhead required in scanning a file for malware, but other component architectures are possible. Thus, the components illustrated in FIG. 1 should be construed as exemplary and not limiting.
- FIG. 3 an exemplary embodiment of an efficient scan module 114 illustrated in FIG. 3 that minimizes the overhead involved in scanning a file for malware will be described.
- the efficient scan module 114 remains idle and waits until a scanning event is identified.
- antivirus software may initiate a scan for malware in many different circumstances. As described above with reference to FIG. 1 , existing antivirus software will typically perform a scan for malware “on access” when a user or software system selects an application program for execution. Since executing an application program may expose a computer to malware, the files associated with the application program are scanned before execution is initiated. Moreover, existing antivirus software is typically configured to perform a scan “on demand” when a user or software system generates a command that causes a volume or other logical partition of data to be scanned for malware. The efficient scan module 114 may also be implemented in conjunction with antivirus software that performs a scan for malware “on access” and/or “on demand” to improve the speed in which a scan is performed.
- the efficient scan module 114 may also be implemented with a software system that uses heuristics to “pre-fetch” data into system memory in anticipation that a user will cause an application program to be executed.
- Data required to execute the application program is scanned for malware when loaded into system memory before the user issues the command to execute the program.
- data is loaded into system memory and a scan for malware is performed “in the background” without requiring input from the user.
- the present invention may cause data to be “pre-fetched” into system memory and scanned for malware when computer resources (e.g., the CPU) on the computer are idle thereby minimizing the impact of scanning data for malware.
- aspects of the present invention may either scan a single file for malware or a plurality of files.
- aspects of the present invention schedule files to be scanned in an order that maximizes resource utilization of the computer.
- the efficient scan module 114 proceeds to the block 306 described in further detail below. Conversely, if a plurality of files will be scanned, the efficient scan module 114 proceeds to block 304 .
- the efficient scan module 114 arranges the order in which files will be scanned for malware that optimizes the use of computer resources. If block 304 is reached, a plurality of files is scheduled to be scanned for malware as a result of the scanning event identified a block 300 . In accordance with one aspect of the present invention, the files are scheduled to be read into system memory and scanned in a way that maximizes resource usage on the computer.
- antivirus software typically needs two resources to scan a file for malware, including (1) a CPU and (2) a storage device (e.g., the computer readable medium 102 ) where the file data is stored.
- CPU bound the application that requested data be read into system memory
- CPU bound the application that requested data be read into system memory
- the “bottleneck” in computer performance caused by CPU-bound applications led software engineers to develop systems in which multiple requests to read data are scheduled to occur asynchronously with other processing performed by an application program.
- multiple requests to read data into system memory are input into a queue so that when an I/O request is initiated, control may be returned to the calling program.
- a queue dispatches asynchronous reads requests in order to load required file data from multiple files into system memory.
- the efficient scan module 114 separates files that will be scanned for malware into “CPU bound” and “I/O bound” files.
- the files are separated based on file type. For example, antivirus software developers have recognized that certain file types will result in a CPU bound scan for malware in which a large amount of processing will be performed on a relatively small amount of data. Similarly, other file types are more likely to result in an I/O bound scan for malware. A file that will cause an I/O bound scan for malware is matched with and will be scheduled congruently with a file that will cause a CPU bound scan for malware.
- data from a file that is an object of the scanning event identified a block 300 is selected or scheduled to be read into system memory.
- the efficient scan module 114 may either be scanning a single file or a plurality of files for malware.
- the request is placed in a queue along with other requests.
- an existing system that uses a queue to schedule and satisfy I/O requests “selects” or schedules a file to be read into system memory based on an algorithm that is “fair.” Since these existing systems are generally known in the art, further description of the systems will not be described in detail here. However, it should be well understood that a request to read data into system memory may be performed using different systems and that the examples described herein should be construed as exemplary and not limiting.
- the efficient scan module 114 determines whether a file specific scanning pattern for the selected file is known.
- a software module e.g., the scan engine 110 ) only analyzes data in a file that is necessary to determine whether the file is infected with malware. Since certain portions of the file may not be capable of exposing a computer to the effects of malware, all data in the file is not necessarily loaded into system memory and scanned. Instead, segments of data that may be capable of implementing the malicious functionality of malware are identified and loaded into system memory.
- a software module that only scans relevant portions of a file for malware may cause a significant number of “seek” operations in which a read/write head is required to obtain data from remote locations on a computer-readable medium to be performed.
- the pattern in which data in a file is accessed by a scan engine is stored in a database (e.g., the persistent data store 116 ) and updated each time a scan is performed.
- the efficient scan module 114 determines whether a file specific scanning pattern is available by querying a database (e.g., the persistent data store 116 ). If the database maintains an entry for the selected file with data that describes a scanning pattern, the efficient scan module 114 proceeds to block 310 . Conversely, if the database does not maintain an entry for the selected file with data that describes a scanning pattern, the efficient scan module 114 proceeds to block 312 , described below.
- the efficient scan module 114 obtains a scanning pattern for the file selected at block 306 .
- data that describes how a file is scanned is maintained in a database (e.g., the persistent data store 116 ).
- the persistent data store 116 consists of four columns, each of which contains multiple entries. The columns are identified as FILEINDX 400 , TYPE 402 , OFFSET 404 , and SIZE 406 . Similar to the FILEINDX 200 field maintained in a bitmap cache 112 , described above with reference to FIG. 2 , the FILEINDX 400 field illustrated in FIG.
- the OFFSET 404 and SIZE 406 fields store values that collectively identify segments of data in a file that were loaded into system memory and analyzed in a scan of the file.
- the OFFSET 404 field contains a value that identifies the number of bytes from the beginning of the file where a segment of data was obtained when a scan of the file was performed.
- the value maintained in the associated SIZE 406 field identifies the total number of bytes that were obtained starting from the location represented in the OFFSET 404 field.
- each file on a volume that has been scanned for malware maintains an entry in the persistent data store 116 .
- the resource requirements of storing data that describes a scanning pattern for every file on the volume may not provide the desired performance benefits on some computer systems.
- only the most frequently scanned files maintain an entry in the persistent data store 116 .
- access patterns from the most frequently scanned files may be used to predict access patterns for a file of a particular type.
- the efficient scan module 114 obtains data that identifies the segments of data (e.g., offset and size) in a file that were loaded into system memory and analyzed in a scan of the file. Simply stated, the efficient scan module 114 is able to obtain the data that identifies the segments of data that were loaded into system memory by querying the persistent data store 116 with a function call.
- the efficient scan module 114 obtains a scanning pattern for the type of file that was selected at block 306 . If block 312 is reached, a file specific scanning pattern is not available from the persistent data store 116 which may occur, for example, if the selected file was not previously scanned for malware. Alternatively, a file specific scanning pattern may not be available from the persistent data store 116 because the present invention may be configured to only store a scanning pattern for the most frequently used files. In this instance, the efficient scan module 114 will load data into system memory based on data obtained from scans performed on files of the same type as the selected file. Those skilled in the art and others will recognize that files that are the same type typically maintain common characteristics such as the same file extension (e.g. “.EXE”, “.DOC”, etc.) that may be used to differentiate these files from other file types. However, those skilled in the art and others will recognize that other characteristics besides a file extension may be used to differentiate between file types.
- a file specific scanning pattern is not available from the persistent data store 116 which may occur
- files stored on a computer typically adhere to well-defined formats and therefore have common traits.
- the commonality between files of the same type may be used to define a default scanning pattern for the file selected at block 306 .
- some file types maintain data in a file header that identifies locations into a file where executable program code that has the potential to expose a computer to malware is located.
- a scan engine will always access data in the header of a particular file type.
- the efficient scan module 114 identifies locations in files of the same type that are always scanned for malware.
- a query may be passed to the persistent data store 116 that returns the location of data segments in a file that is always scanned for malware.
- the efficient scan module 114 may parse data in a file and identify locations that are likely to be needed by a scan engine.
- the efficient scan module 114 identifies an optimized order in which segments of data in the selected file will be loaded from a computer-readable medium into system memory.
- FIG. 5 depicts an exemplary computer-readable medium 500 that stores data segments 502 , 504 , 506 , and 508 in a file (not shown) that will be loaded into system memory and scanned for malware in accordance with the prior art.
- FIG. 5 illustrates an exemplary scanning pattern 510 that shows the movement of the computer-readable medium 500 in relation to a read/write head 512 when the data segments 502 , 504 , 506 , and 508 are loaded into system memory.
- a scan engine first requests data segment 506 which results in the computer-readable medium 500 moving so that the read/write head 512 is located adjacent to the data segment 506 .
- the data requested by the scan engine is loaded into system memory.
- the scan engine requests the data segment 502 .
- the computer-readable medium 500 then moves so that the read/write head 512 is adjacent to the data segment 502 .
- the data segment 502 is read into system memory.
- data segments 504 and 508 are subsequently loaded into system memory using the same techniques.
- FIG. 6 contains the same computer-readable medium 500 and data segments 502 , 504 , 506 , and 508 that are illustrated in FIG. 5 .
- the efficient scan module 114 causes data that is likely to be scanned for malware to be loaded into system memory before the data is needed. Also, the data will typically be accessed in a way that minimizes the number of seek operations that need to be performed.
- FIG. 6 depicts an exemplary scanning pattern 600 that may be identified by aspects of the present invention. Similar to FIG.
- a scan engine may request the data segments 502 , 504 , 506 , and 508 in any order without regard for the location of the data segments in relation to each other. However since the data segments 502 , 504 , 506 , and 508 are being loaded into system memory before they are needed, they may be accessed in an order that minimizes the time requirements of the loading process. As illustrated in FIG.
- the optimizations performed by the efficient scan module 114 may include but are not limited to (1) loading contiguous data segments at the same time to minimize the number of seek operations that are performed, (2) loading data segments in an order that minimizes movement of the computer-readable medium 500 under a read/write head 512 , and (3) loading noncontiguous data segments that are separated by a small and unnecessary data segment in the same operation.
- the efficient scan module 114 may determine that loading all file data into system memory may be more efficient than loading segments of data. This may occur, for example, when a small file with data that is contiguously stored on a computer-readable medium is the object of a scanning event.
- the efficient scan module 114 causes data that is likely to be scanned for malware to be loaded into system memory.
- a component of the operating system commonly referred to as a “loader” is responsible for copying data from a computer-readable medium into system memory.
- a loader typically copies the data when needed, aspects of the present invention cause the loader to copy the necessary data in anticipation that the data will be needed.
- a scan of the file selected at block 306 is performed.
- a known technique that may be employed to scan a file for malware includes obtaining a copy of the malware “in the wild.” Then the data that implements the malware is processed with a hash function that converts the data, or a characteristic subset of the data, into a signature that uniquely identifies the malware.
- performing the scan may include searching data loaded into system memory for a signature that is associated with malware.
- a database (e.g., the persistent data store 116 ) is updated with information that describes the scanning pattern in which data in the selected file was accessed and scanned at block 318 .
- a scan engine may access segments of data from a file in any order to determine whether the file contains malware. Aspects of the present invention track how the data is accessed when a scan is performed and records this information in a database (e.g., the persistent data store 116 ). Then, in anticipation that another scan of the file will be needed, the database (e.g., the persistent data store 116 ) is queried and the segments of data that were previously accessed when a scan occurred are loaded into system memory before the data is needed. In any event, at block 320 data in a database (e.g., the persistent data store 116 ) is updated with information that describes segments of data that were accessed and scanned at block 318 .
- the efficient scan module 114 determines if any files that were scheduled to be scanned for malware at block 300 have not previously been selected. If additional file(s) will not be selected, the efficient scan module 114 proceeds to block 324 , where it terminates. Conversely, if at least one additional file will be selected, the efficient scan module 114 proceeds back to block 306 and blocks 306 through 322 repeat until all of the files that were the object of a scanning event have been selected.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
- The present invention relates to computers and, more particularly, to efficiently scanning a file stored on a computer for malware.
- As more and more computers and other computing devices are interconnected through various networks such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
- When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems that are communicatively connected by a network connection.
- A traditional defense against computer malware and, particularly, against computer viruses and worms, is antivirus software that is available from numerous software vendors. Most antivirus software identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when data is going to be written or read from a computer-readable medium on the computer. As known to those skilled in the art and others, computer users have ongoing needs to read and write data to computer-readable mediums, such as a hard drive. For example, a common operation provided by some software applications is to open a file stored on a hard drive and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
- In order to scan a file for malware, an operating system installed on the computer loads file data from a computer-readable medium into system memory that is accessible to the Central Processing Unit (“CPU”). The CPU performs essential operations on behalf of the antivirus software in searching for malware. Those skilled in the art and others will recognize that loading file data from a computer-readable medium into system memory is often a “bottleneck” in a computers performance. As a result, a CPU frequently remains idle, waiting to perform operations while data is being loaded into system memory.
- While computer-readable mediums are typically inexpensive to produce and store vast quantities of data, reading and/or writing data from this type of device is slow when compared to reading and/or writing data from system memory. A primary reason why reading and/or writing data using a computer-readable medium is slow stems from the fact that this type of device employs a read/write head that typically uses electromechanical means to interact with a media where data is stored. Those skilled in the art and others will recognize that a read/write head is only able to read data when media with which it interacts spins under the read/write head. The physical movement of media in passing underneath a read/write head is slow when compared to mechanisms used to read/write data from more expensive system memory. As a result, modem computer systems typically implement optimizations designed to minimize the time required to read and/or write data from a computer-readable medium. For example, data in a file will typically be defragmented or arranged contiguously on a computer-readable medium to minimize the number of “seek” operations in which data from disparate locations on a computer-readable medium is required to pass under a read/write head.
- For a variety of reasons, scanning a file for malware is a resource intensive task that limits the speed in which programs may be executed. One reason that scanning a file for malware is a resource intensive task results from the fact that antivirus software may not access data in a file contiguously. Instead, when scanning a file for malware, some antivirus software only scans data that is needed to determine whether the file is infected and may request data in the file without regard to where the data is located. Thus, antivirus software may initially request and obtain data that is located at the end of the file and then make subsequent requests for data that is located in other parts of the file. As a result, numerous “seek” operations are performed to determine whether a file is infected with malware.
- The foregoing problems with the state of the prior art are overcome by the principles of the present invention, which are directed toward a system, method, and a computer-readable medium for efficiently loading data from a file into system memory in order to scan the file for malware. The logic provided by the present invention reduces the resources required by antivirus software to scan a file for malware and thereby improves the experience of a user when operating a computer protected by the antivirus software.
- One aspect of the present invention is a method of efficiently loading data into system memory from a computer-readable medium for purposes of malware detection. More specifically, when antivirus software scans a file for malware, the method (1) identifies a pattern in which data in the file is loaded into system memory from a computer-readable medium; (2) identifies a pattern in which data in the file may be loaded into system memory that minimizes the time required to read data in the file; and (3) in a subsequent scan of the file for malware, causes data in the file to be loaded into system memory in accordance with the pattern that minimizes the time required to read data in the file.
- In yet another aspect of the present invention, a software system for efficiently scanning a file for malware is provided. Components of the software system include (1) a scan engine for identifying data that is characteristic of malware; (2) a persistent data store that tracks the segments of data that are loaded into system memory when a scan of the file for malware is performed; and (3) an efficient scan module operative to optimize the way in which data is loaded into system memory when a file will be scanned for malware by the scan engine.
- In still another embodiment, a computer-readable medium is provided with contents, i.e., a program that causes a computer to operate in accordance with the methods described herein.
- The foregoing aspects and many of the attendant advantages of this invention will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
-
FIG. 1 is a block diagram of a computer with software components that are configured to efficiently load data into system memory in accordance with the present invention; -
FIG. 2 is a pictorial depiction of an exemplary bit map cache that may be used in conjunction with the present invention to selectively scan a file for malware; -
FIG. 3 is a flow diagram illustrating one exemplary embodiment of a method that efficiently performs a scan for malware that is formed in accordance with the present invention; -
FIG. 4 is a pictorial depiction of an exemplary persistent data store that tracks the segments of data in a file that are loaded into system memory when a file is scanned for malware in accordance with the present invention; -
FIG. 5 is the pictorial depiction of a computer-readable medium and a method for accessing a file stored on the computer-readable medium that is formed in accordance with the prior art; and -
FIG. 6 is the pictorial depiction of a computer-readable medium and a method for accessing the computer-readable medium that is formed in accordance with the present invention. - The present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data from a file into system memory in order to scan the data for malware. The logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software by efficiently scanning data on the computer for malware. One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into system memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into system memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.
- The present invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally described, program modules include routines, programs, objects, components, data structures, and so forth that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in local and/or remote computer storage media.
- While the present invention will primarily be described in the context of efficiently scanning one or more files for malware, those skilled in the relevant art and others will recognize that the present invention is also applicable to other areas than those described. For example, the present invention may be used to efficiently scan units of data other than a file for malware. In any event, the following description first provides an overview of a system in which the present invention may be implemented. Then a method that implements the present invention is described. The illustrative examples provided herein are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Similarly, any steps described herein may be interchangeable with other steps or combinations of steps in order to achieve the same result.
- Now with reference to
FIG. 1 , components of acomputer 100 that are capable of implementing aspects of the present invention will be described. Those skilled in the art and others will recognize that thecomputer 100 may be any one of a variety of devices including, but not limited to, personal computing devices, server-based computing devices, mini- and mainframe computers, or other electronic devices having some type of memory. For ease of illustration and because it is not important for an understanding of the present invention,FIG. 1 does not show the typical components of many computers, such as a CPU, keyboard, a mouse, a printer, or other I/O devices, a display, etc. However, as illustrated inFIG. 1 , thecomputer 100 does include a computer-readable medium 102,system memory 104, amemory manager 106, andantivirus software 108. Also, as illustrated inFIG. 1 , theantivirus software 108 includes ascan engine 110, abit map cache 112, anefficient scan module 114, and apersistent data store 116. However, those skilled in the art and others will recognize that thecomputer 100 andantivirus software 108 illustrated inFIG. 1 are highly simplified examples which only illustrate components that are necessary for an understanding of the present invention. In actual embodiments of the present invention, thecomputer 100 and theantivirus software 108 will have additional components that are not illustrated inFIG. 1 . Thus, thecomputer 100 is only one example of a computer capable of implementing aspects of the present invention and is not intended to suggest any limitation as to the scope of use or functionality of the invention. - In general terms, the present invention performs optimizations designed to improve the efficiency of antivirus software in scanning for malware. As described in more detail below, the optimizations performed include efficiently reading data from a computer-
readable medium 102 into thesystem memory 104, using heuristics to “pre-fetch” data intosystem memory 104, and performing load balancing to efficiently allocate limited resources when scanning a plurality of files for malware. - As illustrated in
FIG. 1 , thecomputer 100 includes a computer-readable medium 102 that may be any available media that is accessible by thecomputer 100 and includes both volatile and nonvolatile media and removable and non-removable media. By way of example and not limitation, the computer-readable medium 102 may be volatile or nonvolatile, removable or nonremovable, implemented using any technology for storage of information such as, but not limited to a hard drive, CD-ROM, DVD, or other disk storage, magnetic cassettes, magnetic tape, magnetic disk storage, or any other media that can be used to store the desired information and may be accessed by thecomputer 100 even through a computer network. Combinations of any of the media described above should also be included within the scope of a computer-readable medium. - The
computer 100 also includessystem memory 104 that may be volatile or nonvolatile memory, such as Read Only Memory (“ROM”), Random Access Memory (“RAM”), or other storage system that is readily accessible to a CPU on the computer. Those skilled in the art and others will recognize that ROM and RAM typically contain data and/or program modules that are immediately accessible to and/or currently being operated on by the CPU. - As mentioned previously, in order to scan a file for malware, a component of an operating system installed on the
computer 100 loads file data from a computer-readable medium 102 intosystem memory 104 that is accessible to a CPU (not illustrated). However, loading file data from the computer-readable medium 102 into thesystem memory 104 is often a “bottleneck” in a computer's performance. As a result, in the prior art, a CPU frequently remains idle, waiting to perform operations on behalf of antivirus software while data is being loaded into thesystem memory 104. - Those skilled in the art and others will recognize that a CPU serves as the computational center of the
computer 100 by supporting the execution of program code including program code implemented by the present invention. Most malware carry out their malicious functionality when malware program code is loaded intosystem memory 104 and then “executed” by the CPU. - To protect a computer from malware, the
antivirus software 108 is configured to scan for malware “on access” when an application program is scheduled to be executed. For example, a computer user may issue a command to start execution of an application program by “double clicking” on an icon associated with the program or by selecting the program through other means. In this instance, a request to perform input/output (“I/O”) with a hardware device, such as the computer-readable medium 102, is typically generated by an application program. Prior to the request being satisfied, theantivirus software 108 is notified that the I/O request occurred. In response, theantivirus software 108 will cause one or more files associated with the application program to be scanned “on access” when data that implements the program is loaded intosystem memory 104 but prior to the data being executed. Only when theantivirus software 108 does not identify malware in the data is the application program allowed to execute. - Also, the
antivirus software 108 will typically be configured to scan all or any number of the files on the computer-readable medium 102 “on demand” in response to a command. In this instance, certain data from files that are scheduled to be scanned for malware are loaded intosystem memory 104 and scanned for malware by theantivirus software 108. In accordance with one embodiment, when a plurality of files is scheduled to be scanned “on-demand,” the present invention causes data to be read into memory in a way that optimizes the resources of the computer. For example, files that are of types that are known to the “CPU bound” are scheduled to be read into system memory and scanned with files that are a type that are known to be “I/O bound.” As described in further detail below, by scheduling files in this way, aspects of the present invention minimize the number of idle CPU cycles that occur when performing in “on-demand” scan for malware. - The present invention may be implemented in conjunction with antivirus software that performs a scan for malware “on access” and/or “on demand” to improve the speed in which a scan is performed. However, aspects of the present invention may cause a scan for malware to be performed in other instances than those described above. For example, as described in further detail below, aspects of the present invention may be used in conjunction with a
memory manager 106 that uses heuristics to “pre-fetch” data intosystem memory 104 in anticipation that a user will cause a particular application program to be executed. - As illustrated in
FIG. 1 , thecomputer 100 includes amemory manager 106 that operates in conjunction with a computer operating system (not illustrated) to manage memory on behalf of thecomputer 100. For example, currently existing memory managers typically provide a virtual memory address space so that the amount of storage space available to an application program is larger than the storage space provided by thesystem memory 104. When an application program executes, the virtual memory addresses used by the application program are converted into physical memory addresses by thememory manager 106 so that necessary data may be swapped intosystem memory 104. - As mentioned previously, in order to execute an application program, data is read from the computer-
readable medium 102 and loaded into thesystem memory 104 where it is accessible to a CPU. However, a launch of an application program, in which all of the necessary data is read from the computer-readable medium 102 when a user selects the program is time consuming. The delay in application launch is primarily caused by data transfers necessary to read the data from the computer-readable medium 102. During the time when data is being read, the CPU may be blocked, waiting for the necessary data to become accessible. However, thememory manager 106 performs optimizations that are designed to “pre-fetch” data stored on the computer-readable medium 102 intosystem memory 104 based on the expected needs of the user. Stated differently, thememory manager 106 works to provide performance improvements in memory management by loading and maintaining data insystem memory 104 that is likely to be needed before the data is actually needed. Units of data typically known as pages are prioritized with a value/score that is computed using a variety of factors, including the frequency of use, time of last use, ease of data transfer and other context-based information. Thememory manager 106 works to pre-fetch and/or maintain the more valuable pages of data in memory. If a program needs to be swapped out or overwritten, a page of data may be automatically brought back intosystem memory 104, not because of actual demand, but rather because of expected demand. By having thesystem memory 104 filled with valuable data before the data is needed, thememory manager 106 substantially reduces or eliminates transfer operations from the computer-readable medium 102. In this regard, a detailed explanation of a method and mechanisms that “pre-fetches” or loads and maintains pages of data in system memory based on the expected demands of the user may be found in commonly assigned, copending U.S. patent application Ser. No. 10/952,336, entitled “Methods and Mechanisms for Proactive Memory Management,” the content of which is expressly incorporated herein by reference. - The
antivirus software 108 in which aspects of the present invention may be implemented includes ascan engine 110 designed to detect data that is characteristic of malware. Many different software vendors include a scan engine or similar software module in antivirus software. One known technique employed by some existing scan engines that is used to identify data characteristic of malware includes obtaining a copy of the malware “in the wild.” Then the data that implements the malware is processed with a hash function that converts the data or a characteristic subset of the data into a signature that uniquely identifies the malware. Thescan engine 110 illustrated inFIG. 1 may employ this known technique of scanning a file for a malware signature. Also, increasingly, heuristic techniques are employed when identifying data characteristic of malware that may be used by thescan engine 110. However, it should be well understood that the examples described herein should be construed as exemplary and not limiting, as thescan engine 110 may employ any one of a number of existing, or yet to be developed, malware detection techniques. - The
scan engine 110 may be optimized to scan a file by only searching data in a file that has the potential to expose a computer to the effects of malware. In modern computer systems, data is typically associated with a file that describes attributes of the file. A scan engine that searches for malware in a file without the context of data that is associated with a file is inefficient. For example, thescan engine 110 may search the header of a file and determine that the file is incapable of exposing a computer to the effects of malware. In this instance, thescan engine 110 will not scan subsequent portions of the file because those subsequent portions are not capable of implementing the effects of malware. By way of another example, thescan engine 110 may search data contained in the header of a file and determine that segments of data in the file have the potential to expose a computer to the effects of malware. In the context of a Microsoft Word™ document, data associated with the document identifies locations within the document that contains “macros” or “embedded objects” with executable program code. In this instance, thescan engine 110 searches the data in the file and identifies the locations within the document that have the potential to expose a computer to the effects of malware. Then, thescan engine 110 requests and scans data located in these areas of the document. While a scan engine that only scans data needed to determine whether a file contains malware is an optimization over the prior art, it may result in a significant number of time-consuming “seek” operations. As described in further detail below, one aspect of the present invention is directed to minimizing the number of “seek” operations performed when scanning a file for malware. - As illustrated in
FIG. 1 , theantivirus software 108 in which aspects of the present invention may be implemented also includes abit map cache 112. The present invention will typically be used in conjunction with a system that selectively scans one or more files on a computer for malware. The existing system associates a variable with a file when a scan of the file is performed. If the variable indicates that the file is malware, any attempt to access the file by the user fails. Conversely, if the variable indicates that the file is not malware and data in the file has not been modified, an attempt to execute the file will succeed without requiring an additional scan of the file to be performed. As described in further detail below, the information necessary to determine whether a scan of the file is necessary is maintained in thebit map cache 112. - For illustrative purposes and by way of example only, the contents of a sample
bit map cache 112 are shown inFIG. 2 As illustrated, thebit map cache 112 consists of three columns, each of which contains multiple entries. The columns are identified asFILEINDX 200,FIRST BIT 202, andSECOND BIT 204. TheFILEINDX 200 field contains a value that is used to uniquely identify a file. As known to those skilled in the art and others, a computer-readable medium such as a hard drive, is typically partitioned into logical units referred to as volumes. Each volume has a central location where information about files on the volume is stored, including a unique identifier that is used to access a file internally. This value is an inserted into theFILEINDX 200 column of thebit map cache 112. TheFIRST BIT 202, and SECOND BIT 204 fields each store a value that collectively identifies the state of the file. For example, both theFIRST BIT 202 andSECOND BIT 204 fields contain a value that is either a “0” or a “1.” In one system, if theFIRST BIT 202 field contains a “1” and theSECOND BIT 204 field also contains a “0,” then the state of the file is “known malware.” Alternatively, if theFIRST BIT 202 field contains a “0” and theSECOND BIT 204 field contains a “1,” then the state of the file is “known good.” Also, if theFIRST BIT 202 field contains a “0” and theSECOND BIT 204 field contains a “0,” then the state of the file is “unknown.” AlthoughFIG. 2 illustrates abit map cache 112 that has specific attributes, those skilled in the art will appreciate that thebit map cache 112 may operate with more or fewer than all of the listed attributes. - The
antivirus software 108 is configured to perform a lookup in thebit map cache 112 when a scanning event is identified. As described above, the variables associated with a file in thebit map cache 112 dictates whether the file will be scanned for malware. In instances when a file was not previously scanned or the contents of the file have been modified, theantivirus software 106 causes a scan to be performed and updates thebit map cache 106 to reflect the results of the scan. If the file was previously scanned and the contents of the file have not changed, theantivirus software 106 does not perform a scan, thereby minimizing the computational resources used by theantivirus software 106. In this regard, a detailed explanation of a system and method that tracks whether a file needs to be scanned for malware may be found in commonly assigned, copending U.S. patent application Ser. No. 10/984,614, entitled “System and Method for Aggregating the Knowledge Base of Antivirus Software Applications,” the content of which is expressly incorporated herein by reference. - Aspects of the present invention may be used to populate the contents of the
bit map cache 112 before an “on access” or “on demand” scan of a file occurs. As described previously, the present invention is implemented in conjunction with amemory manager 106 that “pre-fetches” or loads data insystem memory 104 based on the expected demands of a user. To improve the performance of theantivirus software 108, a scan for malware is performed when thememory manager 106 “pre-fetches” data into thesystem memory 104. For example, when a computer begins functioning, thememory manager 106 will typically load data from a plurality of files intosystem memory 104 in anticipation that a user will cause one or more application programs associated with the files to be executed. In this instance, data loaded insystem memory 104 may be scanned for malware “in the background” before an application program is executed. After the scan is performed, the contents of thebit map cache 112 are updated to reflect the results of the scan. As a result, when a user initiates a launch of an application program that uses data “pre-fetched” into thesystem memory 104, the operations that determine whether an application program needs to be scanned for malware will have already been performed. - As illustrated in
FIG. 1 , theantivirus software 108 also includes anefficient scan module 114 that contains software routines and logic implemented by the present invention. Since functions and different embodiments of theefficient scan module 114 are described below with reference toFIG. 3 , a detailed description of themodule 114 will not be provided here. However, generally described, themodule 114 implements logic to reduce or eliminate the overhead involved in scanning a file for malware. For example, one aspect of theefficient scan module 114 efficiently reads data from a storage device (e.g., the computer-readable medium 102) into memory accessible to a CPU (e.g., the system memory 104). In this regard, theefficient scan module 114 identifies an optimal pattern to load data in the file into system memory based on how thescan engine 110 accesses data in the file. Data that describes a pattern used to scan each file on a computer for malware is stored in apersistent data store 116 and updated each time a file is scanned. - As known to those skilled in the art and others,
FIG. 1 is a simplified example of onecomputer 100 capable of performing the functions of the present invention. Actual embodiments of thecomputer 100 will have additional components not illustrated inFIG. 1 or described in the accompanying text. Also,FIG. 1 shows one component architecture for minimizing the overhead required in scanning a file for malware, but other component architectures are possible. Thus, the components illustrated inFIG. 1 should be construed as exemplary and not limiting. - Now with reference to
FIG. 3 , an exemplary embodiment of anefficient scan module 114 illustrated inFIG. 3 that minimizes the overhead involved in scanning a file for malware will be described. - At
decision block 300, theefficient scan module 114 remains idle and waits until a scanning event is identified. Those skilled in the art and others will appreciate that antivirus software may initiate a scan for malware in many different circumstances. As described above with reference toFIG. 1 , existing antivirus software will typically perform a scan for malware “on access” when a user or software system selects an application program for execution. Since executing an application program may expose a computer to malware, the files associated with the application program are scanned before execution is initiated. Moreover, existing antivirus software is typically configured to perform a scan “on demand” when a user or software system generates a command that causes a volume or other logical partition of data to be scanned for malware. Theefficient scan module 114 may also be implemented in conjunction with antivirus software that performs a scan for malware “on access” and/or “on demand” to improve the speed in which a scan is performed. - As mentioned above, the
efficient scan module 114 may also be implemented with a software system that uses heuristics to “pre-fetch” data into system memory in anticipation that a user will cause an application program to be executed. Data required to execute the application program is scanned for malware when loaded into system memory before the user issues the command to execute the program. In one embodiment of the present invention, data is loaded into system memory and a scan for malware is performed “in the background” without requiring input from the user. Moreover, the present invention may cause data to be “pre-fetched” into system memory and scanned for malware when computer resources (e.g., the CPU) on the computer are idle thereby minimizing the impact of scanning data for malware. - At
decision block 302, a determination is made regarding whether the scanning event identified atblock 300 is a “batch job” that requires scanning a plurality of files. Stated differently, aspects of the present invention may either scan a single file for malware or a plurality of files. When a plurality or “batch” of files is scheduled to be scanned for malware, aspects of the present invention schedule files to be scanned in an order that maximizes resource utilization of the computer. In any event, if a single file will be scanned for malware, theefficient scan module 114 proceeds to theblock 306 described in further detail below. Conversely, if a plurality of files will be scanned, theefficient scan module 114 proceeds to block 304. - As illustrated in
FIG. 3 , atblock 304, theefficient scan module 114 arranges the order in which files will be scanned for malware that optimizes the use of computer resources. Ifblock 304 is reached, a plurality of files is scheduled to be scanned for malware as a result of the scanning event identified ablock 300. In accordance with one aspect of the present invention, the files are scheduled to be read into system memory and scanned in a way that maximizes resource usage on the computer. Those skilled in the art and others will recognize that antivirus software typically needs two resources to scan a file for malware, including (1) a CPU and (2) a storage device (e.g., the computer readable medium 102) where the file data is stored. As mentioned previously, in reading file data into system memory, a CPU may become “blocked” waiting for the necessary data. In this instance, when the CPU is required to perform minimal processing on a large amount of data, overall effective processing speed is reduced because the CPU is forced to wait. As a result, the application that requested data be read into system memory is referred to as “CPU bound” in that the CPU will remain idle until data becomes available from the storage device. The “bottleneck” in computer performance caused by CPU-bound applications, led software engineers to develop systems in which multiple requests to read data are scheduled to occur asynchronously with other processing performed by an application program. In some systems, multiple requests to read data into system memory are input into a queue so that when an I/O request is initiated, control may be returned to the calling program. As a result, processing performed by an application program does not wait for completion of the I/O request before continuing execution. Instead, a queue dispatches asynchronous reads requests in order to load required file data from multiple files into system memory. In this type of system, those skilled in the art and others will recognize that resource utilization is maximized when scans for CPU bound files are scheduled together and overlap with scans for I/O bound files. - At
block 304, theefficient scan module 114 separates files that will be scanned for malware into “CPU bound” and “I/O bound” files. In accordance with one embodiment of the present invention, the files are separated based on file type. For example, antivirus software developers have recognized that certain file types will result in a CPU bound scan for malware in which a large amount of processing will be performed on a relatively small amount of data. Similarly, other file types are more likely to result in an I/O bound scan for malware. A file that will cause an I/O bound scan for malware is matched with and will be scheduled congruently with a file that will cause a CPU bound scan for malware. Stated differently, when scanning a plurality of files, multiple requests to read file data into system memory that are scheduled in a queue will contain both I/O bound and CPU bound files. As a result, the resources of the computer are maximized when scanning a plurality of files for malware. - At
block 306, data from a file that is an object of the scanning event identified ablock 300 is selected or scheduled to be read into system memory. When block 306 is reached, theefficient scan module 114 may either be scanning a single file or a plurality of files for malware. As mentioned above, in some systems when a request to read file data into system memory is made by an application program, such as antivirus software, the request is placed in a queue along with other requests. Thus, in one embodiment, an existing system that uses a queue to schedule and satisfy I/O requests “selects” or schedules a file to be read into system memory based on an algorithm that is “fair.” Since these existing systems are generally known in the art, further description of the systems will not be described in detail here. However, it should be well understood that a request to read data into system memory may be performed using different systems and that the examples described herein should be construed as exemplary and not limiting. - As illustrated in
FIG. 3 , atdecision block 308, theefficient scan module 114 determines whether a file specific scanning pattern for the selected file is known. As mentioned previously, in one embodiment of the present invention a software module (e.g., the scan engine 110) only analyzes data in a file that is necessary to determine whether the file is infected with malware. Since certain portions of the file may not be capable of exposing a computer to the effects of malware, all data in the file is not necessarily loaded into system memory and scanned. Instead, segments of data that may be capable of implementing the malicious functionality of malware are identified and loaded into system memory. As mentioned previously, a software module that only scans relevant portions of a file for malware may cause a significant number of “seek” operations in which a read/write head is required to obtain data from remote locations on a computer-readable medium to be performed. The pattern in which data in a file is accessed by a scan engine is stored in a database (e.g., the persistent data store 116) and updated each time a scan is performed. Thus, atblock 308, theefficient scan module 114 determines whether a file specific scanning pattern is available by querying a database (e.g., the persistent data store 116). If the database maintains an entry for the selected file with data that describes a scanning pattern, theefficient scan module 114 proceeds to block 310. Conversely, if the database does not maintain an entry for the selected file with data that describes a scanning pattern, theefficient scan module 114 proceeds to block 312, described below. - At
block 310, theefficient scan module 114 obtains a scanning pattern for the file selected atblock 306. As mentioned previously, data that describes how a file is scanned is maintained in a database (e.g., the persistent data store 116). For illustrative purposes and by way of example only, the contents of an exemplarypersistent data store 116 are shown inFIG. 4 . As illustrated, thepersistent data store 116 consists of four columns, each of which contains multiple entries. The columns are identified asFILEINDX 400,TYPE 402, OFFSET 404, andSIZE 406. Similar to theFILEINDX 200 field maintained in abitmap cache 112, described above with reference toFIG. 2 , theFILEINDX 400 field illustrated inFIG. 4 contains a value that uniquely identifies a file on the volume where the file is stored. TheTYPE 402 field contains a value used to identify the format of a file. Those skilled in the art and others will recognize that files typically adhere to well-defined formats. As described in further detail below, files of the same type will typically have common traits that are used in defining a default scanning pattern when a file specific scanning pattern is not available. The OFFSET 404 and SIZE 406 fields store values that collectively identify segments of data in a file that were loaded into system memory and analyzed in a scan of the file. For example, in one embodiment of the present invention the OFFSET 404 field contains a value that identifies the number of bytes from the beginning of the file where a segment of data was obtained when a scan of the file was performed. The value maintained in the associatedSIZE 406 field identifies the total number of bytes that were obtained starting from the location represented in the OFFSET 404 field. - In one embodiment of the present invention, each file on a volume that has been scanned for malware maintains an entry in the
persistent data store 116. However, the resource requirements of storing data that describes a scanning pattern for every file on the volume may not provide the desired performance benefits on some computer systems. Thus in an alternative embodiment, only the most frequently scanned files maintain an entry in thepersistent data store 116. As described in further detail below (at block 312) access patterns from the most frequently scanned files may be used to predict access patterns for a file of a particular type. - Returning to
FIG. 3 , atblock 310, theefficient scan module 114 obtains data that identifies the segments of data (e.g., offset and size) in a file that were loaded into system memory and analyzed in a scan of the file. Simply stated, theefficient scan module 114 is able to obtain the data that identifies the segments of data that were loaded into system memory by querying thepersistent data store 116 with a function call. - At
block 312, theefficient scan module 114 obtains a scanning pattern for the type of file that was selected atblock 306. Ifblock 312 is reached, a file specific scanning pattern is not available from thepersistent data store 116 which may occur, for example, if the selected file was not previously scanned for malware. Alternatively, a file specific scanning pattern may not be available from thepersistent data store 116 because the present invention may be configured to only store a scanning pattern for the most frequently used files. In this instance, theefficient scan module 114 will load data into system memory based on data obtained from scans performed on files of the same type as the selected file. Those skilled in the art and others will recognize that files that are the same type typically maintain common characteristics such as the same file extension (e.g. “.EXE”, “.DOC”, etc.) that may be used to differentiate these files from other file types. However, those skilled in the art and others will recognize that other characteristics besides a file extension may be used to differentiate between file types. - As mentioned previously, files stored on a computer typically adhere to well-defined formats and therefore have common traits. The commonality between files of the same type may be used to define a default scanning pattern for the file selected at
block 306. For example, some file types maintain data in a file header that identifies locations into a file where executable program code that has the potential to expose a computer to malware is located. In this instance, a scan engine will always access data in the header of a particular file type. In accordance with one embodiment of the present invention, theefficient scan module 114 identifies locations in files of the same type that are always scanned for malware. For example, using techniques that are generally known in the art, a query may be passed to thepersistent data store 116 that returns the location of data segments in a file that is always scanned for malware. However, those skilled in the art and others will recognize that the technique for identifying a default scanning pattern described above should not be construed as limiting. For example, in alternative embodiments, theefficient scan module 114 may parse data in a file and identify locations that are likely to be needed by a scan engine. - At
block 314, theefficient scan module 114 identifies an optimized order in which segments of data in the selected file will be loaded from a computer-readable medium into system memory. For illustrative purposes and by way of example only,FIG. 5 depicts an exemplary computer-readable medium 500 that storesdata segments FIG. 5 illustrates anexemplary scanning pattern 510 that shows the movement of the computer-readable medium 500 in relation to a read/write head 512 when thedata segments data segment 506 which results in the computer-readable medium 500 moving so that the read/write head 512 is located adjacent to thedata segment 506. When the read/write head 512 is adjacent to thedata segment 506, the data requested by the scan engine is loaded into system memory. As illustrated inFIG. 5 , the scan engine then requests thedata segment 502. Similar to the description provided above, the computer-readable medium 500 then moves so that the read/write head 512 is adjacent to thedata segment 502. Then, thedata segment 502 is read into system memory. As further illustrated inFIG. 5 ,data segments - Now with reference to
FIG. 6 , an optimizedscanning pattern 600 that is implemented by aspects of the present invention is described.FIG. 6 contains the same computer-readable medium 500 anddata segments FIG. 5 . As mentioned previously, theefficient scan module 114 causes data that is likely to be scanned for malware to be loaded into system memory before the data is needed. Also, the data will typically be accessed in a way that minimizes the number of seek operations that need to be performed. For illustrative purposes and by way of example only,FIG. 6 depicts anexemplary scanning pattern 600 that may be identified by aspects of the present invention. Similar toFIG. 5 , a scan engine may request thedata segments data segments FIG. 6 , the optimizations performed by theefficient scan module 114 may include but are not limited to (1) loading contiguous data segments at the same time to minimize the number of seek operations that are performed, (2) loading data segments in an order that minimizes movement of the computer-readable medium 500 under a read/write head 512, and (3) loading noncontiguous data segments that are separated by a small and unnecessary data segment in the same operation. Moreover, theefficient scan module 114 may determine that loading all file data into system memory may be more efficient than loading segments of data. This may occur, for example, when a small file with data that is contiguously stored on a computer-readable medium is the object of a scanning event. - Returning to
FIG. 3 , atblock 316 theefficient scan module 114 causes data that is likely to be scanned for malware to be loaded into system memory. Those skilled in the art and others will recognize that a component of the operating system commonly referred to as a “loader” is responsible for copying data from a computer-readable medium into system memory. However, while a loader typically copies the data when needed, aspects of the present invention cause the loader to copy the necessary data in anticipation that the data will be needed. - As illustrated in
FIG. 3 , at block 318 a scan of the file selected atblock 306 is performed. As mentioned previously, a known technique that may be employed to scan a file for malware includes obtaining a copy of the malware “in the wild.” Then the data that implements the malware is processed with a hash function that converts the data, or a characteristic subset of the data, into a signature that uniquely identifies the malware. However, it should be well understood that the example signature-based technique of scanning for malware described herein should be construed as exemplary and not limiting, as the present invention may be used in conjunction with any number of malware detection techniques. Atblock 318, performing the scan may include searching data loaded into system memory for a signature that is associated with malware. Moreover, those skilled in the art and others will recognize that in certain instances additional data will need to be loaded into system memory. For example, if the contents of the selected file were modified since the most recent scan for malware, the scanning pattern used to predict data that needs to be loaded into system memory may not be completely “up-to-date.” However, a scan engine may still request data that was not previously loaded into system memory and have the request be satisfied by existing systems. - At
block 320, a database (e.g., the persistent data store 116) is updated with information that describes the scanning pattern in which data in the selected file was accessed and scanned atblock 318. As mentioned previously, a scan engine may access segments of data from a file in any order to determine whether the file contains malware. Aspects of the present invention track how the data is accessed when a scan is performed and records this information in a database (e.g., the persistent data store 116). Then, in anticipation that another scan of the file will be needed, the database (e.g., the persistent data store 116) is queried and the segments of data that were previously accessed when a scan occurred are loaded into system memory before the data is needed. In any event, atblock 320 data in a database (e.g., the persistent data store 116) is updated with information that describes segments of data that were accessed and scanned atblock 318. - At
decision block 322, theefficient scan module 114 determines if any files that were scheduled to be scanned for malware atblock 300 have not previously been selected. If additional file(s) will not be selected, theefficient scan module 114 proceeds to block 324, where it terminates. Conversely, if at least one additional file will be selected, theefficient scan module 114 proceeds back to block 306 and blocks 306 through 322 repeat until all of the files that were the object of a scanning event have been selected. - While the preferred embodiment of the invention has been illustrated and described, it will be appreciated that various changes can be made therein without departing from the spirit and scope of the invention.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/154,267 US7861296B2 (en) | 2005-06-16 | 2005-06-16 | System and method for efficiently scanning a file for malware |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/154,267 US7861296B2 (en) | 2005-06-16 | 2005-06-16 | System and method for efficiently scanning a file for malware |
Publications (2)
Publication Number | Publication Date |
---|---|
US20060288416A1 true US20060288416A1 (en) | 2006-12-21 |
US7861296B2 US7861296B2 (en) | 2010-12-28 |
Family
ID=37574865
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/154,267 Expired - Fee Related US7861296B2 (en) | 2005-06-16 | 2005-06-16 | System and method for efficiently scanning a file for malware |
Country Status (1)
Country | Link |
---|---|
US (1) | US7861296B2 (en) |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030110387A1 (en) * | 2001-12-06 | 2003-06-12 | Cowie Neil Andrew | Initiating execution of a computer program from an encrypted version of a computer program |
US20060230291A1 (en) * | 2005-04-12 | 2006-10-12 | Michael Burtscher | System and method for directly accessing data from a data storage medium |
US20070038677A1 (en) * | 2005-07-27 | 2007-02-15 | Microsoft Corporation | Feedback-driven malware detector |
US20070124267A1 (en) * | 2005-11-30 | 2007-05-31 | Michael Burtscher | System and method for managing access to storage media |
US20070203884A1 (en) * | 2006-02-28 | 2007-08-30 | Tony Nichols | System and method for obtaining file information and data locations |
US20080028388A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for analyzing packed files |
US20080028466A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for retrieving information from a storage medium |
US20080028462A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for loading and analyzing files |
US20080256634A1 (en) * | 2007-03-14 | 2008-10-16 | Peter Pichler | Target data detection in a streaming environment |
US20090089497A1 (en) * | 2007-09-28 | 2009-04-02 | Yuriy Bulygin | Method of detecting pre-operating system malicious software and firmware using chipset general purpose direct memory access hardware capabilities |
US7530106B1 (en) * | 2008-07-02 | 2009-05-05 | Kaspersky Lab, Zao | System and method for security rating of computer processes |
US20090182790A1 (en) * | 2008-01-11 | 2009-07-16 | Verivue, Inc. | Storage of Data |
US20090182939A1 (en) * | 2008-01-11 | 2009-07-16 | Verivue, Inc. | Asynchronous and Distributed Storage of Data |
US20090307099A1 (en) * | 2005-07-08 | 2009-12-10 | Tanik Murat M | Drag-and-Drop Communication of Data Via a Computer Network |
US20100107246A1 (en) * | 2007-02-09 | 2010-04-29 | Ntt Docomo, Inc. | Terminal device and method for checking a software program |
US20100115619A1 (en) * | 2008-11-03 | 2010-05-06 | Michael Burtscher | Method and system for scanning a computer storage device for malware incorporating predictive prefetching of data |
US20100169972A1 (en) * | 2008-12-31 | 2010-07-01 | Microsoft Corporation | Shared repository of malware data |
US20100242109A1 (en) * | 2009-03-17 | 2010-09-23 | Lee Graham J | Method and system for preemptive scanning of computer files |
US7818807B1 (en) | 2006-06-30 | 2010-10-19 | Symantec Corporation | System and method of logical prefetching for optimizing file scanning operations |
US7962959B1 (en) * | 2010-12-01 | 2011-06-14 | Kaspersky Lab Zao | Computer resource optimization during malware detection using antivirus cache |
US7975303B1 (en) * | 2005-06-27 | 2011-07-05 | Symantec Corporation | Efficient file scanning using input-output hints |
US20110191850A1 (en) * | 2010-02-04 | 2011-08-04 | F-Secure Oyj | Malware detection |
US20110214617A1 (en) * | 2007-08-07 | 2011-09-08 | The Kong Company, Llc | Pet toy with noise making instrument |
US8127358B1 (en) * | 2007-05-30 | 2012-02-28 | Trend Micro Incorporated | Thin client for computer security applications |
US20120159633A1 (en) * | 2010-11-01 | 2012-06-21 | Kaspersky Lab Zao | System and Method for Updating Antivirus Cache |
US8584029B1 (en) * | 2008-05-23 | 2013-11-12 | Intuit Inc. | Surface computer system and method for integrating display of user interface with physical objects |
US8595839B2 (en) | 2011-01-21 | 2013-11-26 | International Business Machines Corporation | Selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request |
US8650650B1 (en) | 2012-12-25 | 2014-02-11 | Kaspersky Lab Zao | System and method for selecting synchronous or asynchronous file access method during antivirus analysis |
US20140096254A1 (en) * | 2007-08-10 | 2014-04-03 | Fortinet, Inc. | Efficient data transfer in a virus co-processing system |
US9141798B2 (en) | 2007-08-10 | 2015-09-22 | Fortinet, Inc. | Operation of a dual instruction pipe virus co-processor |
US20150358287A1 (en) * | 2014-04-11 | 2015-12-10 | Level 3 Communications, Llc | Incremental Application of Resources to Network Traffic Flows Based on Heuristics and Business Policies |
US9219748B2 (en) | 2007-08-10 | 2015-12-22 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
US9230111B1 (en) | 2013-06-25 | 2016-01-05 | Symantec Corporation | Systems and methods for protecting document files from macro threats |
US9756081B2 (en) | 2007-08-10 | 2017-09-05 | Fortinet, Inc. | Context-aware pattern matching accelerator |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US10032023B1 (en) * | 2016-03-25 | 2018-07-24 | Symantec Corporation | Systems and methods for selectively applying malware signatures |
US20190278583A1 (en) * | 2017-03-30 | 2019-09-12 | Pax Computer Technology (Shenzhen) Co., Ltd | Method for updating firmware, terminal and computer readable non-volatile storage medium |
US10834121B2 (en) * | 2018-07-24 | 2020-11-10 | EMC IP Holding Company LLC | Predictive real-time and scheduled anti-virus scanning |
US10929536B2 (en) | 2018-09-14 | 2021-02-23 | Infocyte, Inc. | Detecting malware based on address ranges |
US11003770B2 (en) * | 2018-07-24 | 2021-05-11 | EMC IP Holding Company LLC | Predictive real-time anti-virus scanning |
US11062021B2 (en) * | 2017-08-29 | 2021-07-13 | NortonLifeLock Inc. | Systems and methods for preventing malicious applications from exploiting application services |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US11593480B2 (en) * | 2018-07-24 | 2023-02-28 | EMC IP Holding Company LLC | Predictive scheduled anti-virus scanning |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8255992B2 (en) * | 2006-01-18 | 2012-08-28 | Webroot Inc. | Method and system for detecting dependent pestware objects on a computer |
US7930749B2 (en) * | 2006-05-11 | 2011-04-19 | Eacceleration Corp. | Accelerated data scanning |
US8528089B2 (en) * | 2006-12-19 | 2013-09-03 | Mcafee, Inc. | Known files database for malware elimination |
US8656489B1 (en) * | 2007-09-29 | 2014-02-18 | Symantec Corporation | Method and apparatus for accelerating load-point scanning |
US9292689B1 (en) * | 2008-10-14 | 2016-03-22 | Trend Micro Incorporated | Interactive malicious code detection over a computer network |
US8230261B2 (en) * | 2009-12-17 | 2012-07-24 | Hewlett-Packard Development Company, L.P. | Field replaceable unit acquittal policy |
US8935792B1 (en) | 2010-10-05 | 2015-01-13 | Mcafee, Inc. | System, method, and computer program product for conditionally performing an action based on an attribute |
US9110595B2 (en) | 2012-02-28 | 2015-08-18 | AVG Netherlands B.V. | Systems and methods for enhancing performance of software applications |
US10824730B2 (en) | 2018-08-22 | 2020-11-03 | Imperva, Inc. | Continuous database security and compliance |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5473769A (en) * | 1992-03-30 | 1995-12-05 | Cozza; Paul D. | Method and apparatus for increasing the speed of the detecting of computer viruses |
US5577224A (en) * | 1994-12-13 | 1996-11-19 | Microsoft Corporation | Method and system for caching data |
US6021510A (en) * | 1997-11-24 | 2000-02-01 | Symantec Corporation | Antivirus accelerator |
US6094731A (en) * | 1997-11-24 | 2000-07-25 | Symantec Corporation | Antivirus accelerator for computer networks |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
US20030110387A1 (en) * | 2001-12-06 | 2003-06-12 | Cowie Neil Andrew | Initiating execution of a computer program from an encrypted version of a computer program |
US6735700B1 (en) * | 2000-01-11 | 2004-05-11 | Network Associates Technology, Inc. | Fast virus scanning using session stamping |
US6763466B1 (en) * | 2000-01-11 | 2004-07-13 | Networks Associates Technology, Inc. | Fast virus scanning |
US20050132205A1 (en) * | 2003-12-12 | 2005-06-16 | International Business Machines Corporation | Apparatus, methods and computer programs for identifying matching resources within a data processing network |
US6973578B1 (en) * | 2000-05-31 | 2005-12-06 | Networks Associates Technology, Inc. | System, method and computer program product for process-based selection of virus detection actions |
US7036147B1 (en) * | 2001-12-20 | 2006-04-25 | Mcafee, Inc. | System, method and computer program product for eliminating disk read time during virus scanning |
US20060236396A1 (en) * | 2005-04-14 | 2006-10-19 | Horne Jefferson D | System and method for scanning memory for pestware offset signatures |
US7367056B1 (en) * | 2002-06-04 | 2008-04-29 | Symantec Corporation | Countering malicious code infections to computer files that have been infected more than once |
-
2005
- 2005-06-16 US US11/154,267 patent/US7861296B2/en not_active Expired - Fee Related
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5473769A (en) * | 1992-03-30 | 1995-12-05 | Cozza; Paul D. | Method and apparatus for increasing the speed of the detecting of computer viruses |
US5577224A (en) * | 1994-12-13 | 1996-11-19 | Microsoft Corporation | Method and system for caching data |
US6021510A (en) * | 1997-11-24 | 2000-02-01 | Symantec Corporation | Antivirus accelerator |
US6094731A (en) * | 1997-11-24 | 2000-07-25 | Symantec Corporation | Antivirus accelerator for computer networks |
US6735700B1 (en) * | 2000-01-11 | 2004-05-11 | Network Associates Technology, Inc. | Fast virus scanning using session stamping |
US6763466B1 (en) * | 2000-01-11 | 2004-07-13 | Networks Associates Technology, Inc. | Fast virus scanning |
US6973578B1 (en) * | 2000-05-31 | 2005-12-06 | Networks Associates Technology, Inc. | System, method and computer program product for process-based selection of virus detection actions |
US7251830B1 (en) * | 2000-05-31 | 2007-07-31 | Mcafee, Inc. | Process-based selection of virus detection actions system, method and computer program product |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
US20030110387A1 (en) * | 2001-12-06 | 2003-06-12 | Cowie Neil Andrew | Initiating execution of a computer program from an encrypted version of a computer program |
US7036147B1 (en) * | 2001-12-20 | 2006-04-25 | Mcafee, Inc. | System, method and computer program product for eliminating disk read time during virus scanning |
US7367056B1 (en) * | 2002-06-04 | 2008-04-29 | Symantec Corporation | Countering malicious code infections to computer files that have been infected more than once |
US20050132205A1 (en) * | 2003-12-12 | 2005-06-16 | International Business Machines Corporation | Apparatus, methods and computer programs for identifying matching resources within a data processing network |
US20060236396A1 (en) * | 2005-04-14 | 2006-10-19 | Horne Jefferson D | System and method for scanning memory for pestware offset signatures |
Cited By (71)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7346781B2 (en) * | 2001-12-06 | 2008-03-18 | Mcafee, Inc. | Initiating execution of a computer program from an encrypted version of a computer program |
US20030110387A1 (en) * | 2001-12-06 | 2003-06-12 | Cowie Neil Andrew | Initiating execution of a computer program from an encrypted version of a computer program |
US20060230291A1 (en) * | 2005-04-12 | 2006-10-12 | Michael Burtscher | System and method for directly accessing data from a data storage medium |
US7565695B2 (en) | 2005-04-12 | 2009-07-21 | Webroot Software, Inc. | System and method for directly accessing data from a data storage medium |
US7975303B1 (en) * | 2005-06-27 | 2011-07-05 | Symantec Corporation | Efficient file scanning using input-output hints |
US20090307099A1 (en) * | 2005-07-08 | 2009-12-10 | Tanik Murat M | Drag-and-Drop Communication of Data Via a Computer Network |
US7730040B2 (en) * | 2005-07-27 | 2010-06-01 | Microsoft Corporation | Feedback-driven malware detector |
US20070038677A1 (en) * | 2005-07-27 | 2007-02-15 | Microsoft Corporation | Feedback-driven malware detector |
US20080281772A2 (en) * | 2005-11-30 | 2008-11-13 | Webroot Software, Inc. | System and method for managing access to storage media |
US20070124267A1 (en) * | 2005-11-30 | 2007-05-31 | Michael Burtscher | System and method for managing access to storage media |
US20070203884A1 (en) * | 2006-02-28 | 2007-08-30 | Tony Nichols | System and method for obtaining file information and data locations |
US7818807B1 (en) | 2006-06-30 | 2010-10-19 | Symantec Corporation | System and method of logical prefetching for optimizing file scanning operations |
US20080028388A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for analyzing packed files |
US20080028466A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for retrieving information from a storage medium |
US20080028462A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for loading and analyzing files |
US8578495B2 (en) | 2006-07-26 | 2013-11-05 | Webroot Inc. | System and method for analyzing packed files |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US20100107246A1 (en) * | 2007-02-09 | 2010-04-29 | Ntt Docomo, Inc. | Terminal device and method for checking a software program |
US8392988B2 (en) * | 2007-02-09 | 2013-03-05 | Ntt Docomo, Inc. | Terminal device and method for checking a software program |
US20080289041A1 (en) * | 2007-03-14 | 2008-11-20 | Alan Paul Jarvis | Target data detection in a streaming environment |
US20080256634A1 (en) * | 2007-03-14 | 2008-10-16 | Peter Pichler | Target data detection in a streaming environment |
US9396333B1 (en) * | 2007-05-30 | 2016-07-19 | Trend Micro Incorporated | Thin client for computer security applications |
US8505101B1 (en) * | 2007-05-30 | 2013-08-06 | Trend Micro Incorporated | Thin client for computer security applications |
US8127358B1 (en) * | 2007-05-30 | 2012-02-28 | Trend Micro Incorporated | Thin client for computer security applications |
US20110214617A1 (en) * | 2007-08-07 | 2011-09-08 | The Kong Company, Llc | Pet toy with noise making instrument |
US9460287B2 (en) | 2007-08-10 | 2016-10-04 | Fortinet, Inc. | Efficient data transfer in a virus co-processing system |
US9892257B2 (en) | 2007-08-10 | 2018-02-13 | Fortinet, Inc. | Efficient data transfer in a virus co-processing system |
US10176322B2 (en) | 2007-08-10 | 2019-01-08 | Fortinet, Inc. | Operation of a dual instruction pipe virus co-processor |
US10091248B2 (en) | 2007-08-10 | 2018-10-02 | Fortinet, Inc. | Context-aware pattern matching accelerator |
US9773113B2 (en) | 2007-08-10 | 2017-09-26 | Fortinet, Inc. | Operation of a dual instruction pipe virus co-processor |
US9756081B2 (en) | 2007-08-10 | 2017-09-05 | Fortinet, Inc. | Context-aware pattern matching accelerator |
US9679138B2 (en) | 2007-08-10 | 2017-06-13 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
US9411960B2 (en) | 2007-08-10 | 2016-08-09 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
US9355251B2 (en) * | 2007-08-10 | 2016-05-31 | Fortinet, Inc. | Efficient data transfer in a virus co-processing system |
US9219748B2 (en) | 2007-08-10 | 2015-12-22 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
US9141798B2 (en) | 2007-08-10 | 2015-09-22 | Fortinet, Inc. | Operation of a dual instruction pipe virus co-processor |
US20140096254A1 (en) * | 2007-08-10 | 2014-04-03 | Fortinet, Inc. | Efficient data transfer in a virus co-processing system |
US20090089497A1 (en) * | 2007-09-28 | 2009-04-02 | Yuriy Bulygin | Method of detecting pre-operating system malicious software and firmware using chipset general purpose direct memory access hardware capabilities |
US20090182790A1 (en) * | 2008-01-11 | 2009-07-16 | Verivue, Inc. | Storage of Data |
US8364892B2 (en) | 2008-01-11 | 2013-01-29 | Verivue, Inc. | Asynchronous and distributed storage of data |
US20090182939A1 (en) * | 2008-01-11 | 2009-07-16 | Verivue, Inc. | Asynchronous and Distributed Storage of Data |
US8799535B2 (en) * | 2008-01-11 | 2014-08-05 | Akamai Technologies, Inc. | Storage of data utilizing scheduling queue locations associated with different data rates |
US8584029B1 (en) * | 2008-05-23 | 2013-11-12 | Intuit Inc. | Surface computer system and method for integrating display of user interface with physical objects |
US7530106B1 (en) * | 2008-07-02 | 2009-05-05 | Kaspersky Lab, Zao | System and method for security rating of computer processes |
US20100115619A1 (en) * | 2008-11-03 | 2010-05-06 | Michael Burtscher | Method and system for scanning a computer storage device for malware incorporating predictive prefetching of data |
US20100169972A1 (en) * | 2008-12-31 | 2010-07-01 | Microsoft Corporation | Shared repository of malware data |
US20100242109A1 (en) * | 2009-03-17 | 2010-09-23 | Lee Graham J | Method and system for preemptive scanning of computer files |
US8392379B2 (en) * | 2009-03-17 | 2013-03-05 | Sophos Plc | Method and system for preemptive scanning of computer files |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US20110191850A1 (en) * | 2010-02-04 | 2011-08-04 | F-Secure Oyj | Malware detection |
US8677491B2 (en) * | 2010-02-04 | 2014-03-18 | F-Secure Oyj | Malware detection |
US8424093B2 (en) * | 2010-11-01 | 2013-04-16 | Kaspersky Lab Zao | System and method for updating antivirus cache |
US20120159633A1 (en) * | 2010-11-01 | 2012-06-21 | Kaspersky Lab Zao | System and Method for Updating Antivirus Cache |
US8146162B1 (en) * | 2010-11-01 | 2012-03-27 | Kaspersky Lab Zao | System and method for acceleration of malware detection using antivirus cache |
US7962959B1 (en) * | 2010-12-01 | 2011-06-14 | Kaspersky Lab Zao | Computer resource optimization during malware detection using antivirus cache |
US8595839B2 (en) | 2011-01-21 | 2013-11-26 | International Business Machines Corporation | Selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request |
US8650650B1 (en) | 2012-12-25 | 2014-02-11 | Kaspersky Lab Zao | System and method for selecting synchronous or asynchronous file access method during antivirus analysis |
US9317679B1 (en) * | 2013-06-25 | 2016-04-19 | Symantec Corporation | Systems and methods for detecting malicious documents based on component-object reuse |
US9230111B1 (en) | 2013-06-25 | 2016-01-05 | Symantec Corporation | Systems and methods for protecting document files from macro threats |
US9686304B1 (en) * | 2013-06-25 | 2017-06-20 | Symantec Corporation | Systems and methods for healing infected document files |
US20150358287A1 (en) * | 2014-04-11 | 2015-12-10 | Level 3 Communications, Llc | Incremental Application of Resources to Network Traffic Flows Based on Heuristics and Business Policies |
US9825868B2 (en) | 2014-04-11 | 2017-11-21 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US10291534B2 (en) * | 2014-04-11 | 2019-05-14 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US9473456B2 (en) * | 2014-04-11 | 2016-10-18 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US10032023B1 (en) * | 2016-03-25 | 2018-07-24 | Symantec Corporation | Systems and methods for selectively applying malware signatures |
US20190278583A1 (en) * | 2017-03-30 | 2019-09-12 | Pax Computer Technology (Shenzhen) Co., Ltd | Method for updating firmware, terminal and computer readable non-volatile storage medium |
US11062021B2 (en) * | 2017-08-29 | 2021-07-13 | NortonLifeLock Inc. | Systems and methods for preventing malicious applications from exploiting application services |
US11593480B2 (en) * | 2018-07-24 | 2023-02-28 | EMC IP Holding Company LLC | Predictive scheduled anti-virus scanning |
US10834121B2 (en) * | 2018-07-24 | 2020-11-10 | EMC IP Holding Company LLC | Predictive real-time and scheduled anti-virus scanning |
US11003770B2 (en) * | 2018-07-24 | 2021-05-11 | EMC IP Holding Company LLC | Predictive real-time anti-virus scanning |
US10929536B2 (en) | 2018-09-14 | 2021-02-23 | Infocyte, Inc. | Detecting malware based on address ranges |
Also Published As
Publication number | Publication date |
---|---|
US7861296B2 (en) | 2010-12-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7861296B2 (en) | System and method for efficiently scanning a file for malware | |
EP1655682B1 (en) | System and Method of Aggregating the Knowledge Base of Antivirus Software Applications | |
US8161557B2 (en) | System and method of caching decisions on when to scan for malware | |
US7765410B2 (en) | System and method of aggregating the knowledge base of antivirus software applications | |
US7478237B2 (en) | System and method of allowing user mode applications with access to file data | |
US7266843B2 (en) | Malware scanning to create clean storage locations | |
US7765400B2 (en) | Aggregation of the knowledge base of antivirus software | |
US5473769A (en) | Method and apparatus for increasing the speed of the detecting of computer viruses | |
US5502815A (en) | Method and apparatus for increasing the speed at which computer viruses are detected | |
US6721847B2 (en) | Cache hints for computer file access | |
US7937404B2 (en) | Data processing system and method | |
US20060037079A1 (en) | System, method and program for scanning for viruses | |
EP2237185B1 (en) | Method for optimization of anti-virus scan | |
US20050081053A1 (en) | Systems and methods for efficient computer virus detection | |
US20040088570A1 (en) | Predictive malware scanning of internet data | |
US7836505B2 (en) | Accelerated file scanning | |
US20070079377A1 (en) | Virus scanning in a computer system | |
US7251735B2 (en) | Buffer overflow protection and prevention | |
WO2008048665A2 (en) | Method, system, and computer program product for malware detection analysis, and response | |
WO2012098018A1 (en) | Malware detection | |
US7506374B2 (en) | Memory scanning system and method | |
US7346611B2 (en) | System and method for accessing data from a data storage medium | |
US7155741B2 (en) | Alteration of module load locations | |
US7975303B1 (en) | Efficient file scanning using input-output hints | |
US8065736B2 (en) | Using asynchronous changes to memory to detect malware |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MICROSOFT CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:COSTEA, MIHAI;BIVOL, ADRIAN;MARINESCU, ADRIAN M.;AND OTHERS;SIGNING DATES FROM 20050615 TO 20050616;REEL/FRAME:016293/0141 Owner name: MICROSOFT CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:COSTEA, MIHAI;BIVOL, ADRIAN;MARINESCU, ADRIAN M.;AND OTHERS;REEL/FRAME:016293/0141;SIGNING DATES FROM 20050615 TO 20050616 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034543/0001 Effective date: 20141014 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20221228 |